mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-09-19 10:01:24 +00:00
fa1829529d
This patch uses coreos grub2 instead of the built-in gummiboot tool with Alpine distribution. Coreos grub2 has the security feature such as TPM and kernel verification, so we can setup a trust chain when loading modules with grub2. GNU grub2[1] also has the plan to add those security related features, they have a 'verifiers' branch to do that, but there're some build issue need to fix,so this patch use coreos as an alternative. This patch is used to address the #2359 #2375. Thanks Avi Deitcher <avi@deitcher.net> for the contribution to build the GRUB2 from ubuntu 16.04 to alpine base image. Change Log: 1.Address the comments raised by @rn 2.Change the '/dev/vda' as the device name point by kernel command line 'root=' on arm64, '/dev/sr0' on amd64. As next plan, we can adapt a more flexible method to get the dev name of the CDROM. 3.Switch the base image to build grub2 from ubuntu 16.04 to alpine. 4.'linux' as the grub2 menu entry on arm64, while 'linuxefi' on amd64. [1] https://git.savannah.gnu.org/git/grub.git Signed-off-by: Dennis Chen <dennis.chen@arm.com>
85 lines
2.5 KiB
Bash
Executable File
85 lines
2.5 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
# get the GRUB2 boot file name
|
|
ARCH=`uname -m`
|
|
case $ARCH in
|
|
x86_64)
|
|
BOOTFILE=BOOTX64.EFI
|
|
ROOTDEV=/dev/sr0
|
|
LINUX_ENTRY=linuxefi
|
|
;;
|
|
aarch64)
|
|
BOOTFILE=BOOTAA64.EFI
|
|
ROOTDEV=/dev/vda
|
|
LINUX_ENTRY=linux
|
|
;;
|
|
esac
|
|
|
|
mkdir -p /tmp/efi
|
|
cd /tmp/efi
|
|
|
|
# input is a tarball on stdin with kernel and cmdline in /boot
|
|
# output is an iso on stdout
|
|
|
|
# extract. BSD tar auto recognises compression, unlike GNU tar
|
|
# only if stdin is a tty, if so need files volume mounted...
|
|
[ -t 0 ] || bsdtar xzf -
|
|
|
|
CMDLINE="$(cat boot/cmdline)"
|
|
# if no root= root device specified, assume /dev/{sr0, vda} ie first CD drive
|
|
# need to detect the root device automatically in the future
|
|
echo "${CMDLINE}" | grep -q 'root=' || CMDLINE="${CMDLINE} root=${ROOTDEV}"
|
|
rm boot/cmdline
|
|
|
|
cp /usr/local/share/$BOOTFILE .
|
|
|
|
CFG="set timeout=0
|
|
set gfxpayload=text
|
|
menuentry 'LinuxKit ISO Image' {
|
|
$LINUX_ENTRY /boot/kernel ${CMDLINE} text
|
|
}
|
|
"
|
|
|
|
mkdir -p EFI/BOOT
|
|
printf "$CFG" > EFI/BOOT/grub.cfg
|
|
|
|
# create a ISO with a EFI boot partition
|
|
# Stuff it into a FAT filesystem, making it as small as possible. 511KiB
|
|
# headroom seems to be enough; (x+31)/32*32 rounds up to multiple of 32.
|
|
mkfs.vfat -v -C boot.img \
|
|
$(( ($(stat -c %s "${BOOTFILE}") / 1024 + 511) \
|
|
/ 32 * 32 )) > /dev/null
|
|
echo "mtools_skip_check=1" >> /etc/mtools.conf && \
|
|
mmd -i boot.img ::/EFI
|
|
mmd -i boot.img ::/EFI/BOOT
|
|
mcopy -i boot.img $BOOTFILE ::/EFI/BOOT/
|
|
|
|
rm $BOOTFILE
|
|
|
|
xorriso -as mkisofs \
|
|
-R -e boot.img -hide boot.img -hide boot.catalog -no-emul-boot -o linuxkit-efi.iso .
|
|
|
|
cat linuxkit-efi.iso
|
|
|
|
# How to build a VHDX. Commented out because we are currently not using it
|
|
# Don't delete: It took too long to figure out how to do this...
|
|
# # create a disk image (150MB)
|
|
# # This is a little odd, as we run this as part of the default command.
|
|
# # Can't run this during the build step as it requires privilege.
|
|
# # The Magic numbers in losetup are startsector (2048) times 512 and
|
|
# # (endsector - startsector) * 512
|
|
# CMD cd /tmp/efi && \
|
|
# dd if=/dev/zero of=disk.raw bs=1024 count=51200 && \
|
|
# sgdisk -N 1 -t 1:ef00 disk.raw && \
|
|
# losetup -o 1048576 --sizelimit 51362816 /dev/loop/1 disk.raw && \
|
|
# mkfs.vfat /dev/loop/1 && \
|
|
# echo "drive c: file=\"/dev/loop/1\" mtools_skip_check=1" > /etc/mtools.conf && \
|
|
# mmd c:/EFI && \
|
|
# mmd c:/EFI/BOOT && \
|
|
# mcopy linuxkit.efi c:/EFI/BOOT/BOOTX64.EFI && \
|
|
# losetup -d /dev/loop/1 && \
|
|
# qemu-img convert -O vhdx disk.raw linuxkit-boot.vhdx && \
|
|
# cp /tmp/efi/linuxkit.efi /tmp/efi/linuxkitefi.iso /tmp/efi/linuxkit-boot.vhdx /mnt/
|